I have issue to transform data and extracting the fields value. Here is my sample data. 2025-07-20T10:15:30+08:00 h1 test[123456]: {"data": {"a": 1, "b": 2, "c": 3}} The data has timestamp and other information in the beginning, and the data dictionary at the end. I want my data to go into Splunk in JSON format. Other than data, what I need is the timestamp. So I create a transform to pick only the data dictionary and move the timestamp into that dictionary. Here is my transforms. [test_add_timestamp]
DEST_KEY = _raw
REGEX = ([^\s]+)[^:]+:\s*(.+)}
FORMAT = $2, "timestamp": "$1"}
LOOKAHEAD = 32768 Here is my props to use the transforms. [test_log]
SHOULD_LINEMERGE = false
TRUNCATE = 0
KV_MODE = json
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true
TIME_PREFIX = timestamp
MAX_TIMESTAMP_LOOKAHEAD = 100
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
TZ = UTC
TRANSFORMS-timestamp = test_add_timestamp After transform, the data will look like this. {"data": {"a": 1, "b": 2, "c": 3}, "timestamp": "2025-07-20T10:15:30+08:00"} But when I search the data in Splunk, why do I see "none" as value in timestamp as well? Another thing I noticed is in my Splunk index that has many data, I can see few data has this timestamp extracted, and most of them have no timestamp, which is fine. But when I click "timestamp" under interesting fields, why is it showing only "none"? I also noticed some of the JSON keys are not available under "interesting fields". What is the logic behind this?
... View more
